[f-nsp] SSL termination without source nat

Stefan Hegger Stefan.Hegger at lycos-europe.com
Thu Jun 28 03:39:59 EDT 2007 

Hi,
I have a problem with an unsupported behaviour of our ServerIron 450:

SW: Version 09.5.02aTD2 Copyright (c) 1996-2003 Foundry Networks, Inc.
      Compiled on Jan 02 2007 at 19:23:56 labeled as WXM09502a
      (4066267 bytes) from Primary WXM09502a.bin
HW: ServerIronGT E-2 Switch, SYSIF version 21, Serial #: Non-exist

SL 1: B0GMR WSM6 Management Module, SYSIF 2, M6, ACTIVE
SL 2: J-BxGC16 JetCore Gig Copper Module, SYSIF 2
SL 3: WSM3-SSL Module, SYSIF 2, M6, ACTIVE

The problem is the following: When using SSL on a dedicated blade as we use 
it, you have to use source nat. This is what Foundry says. If you use source 
nat you loose the Client IP address. Some of our applications do not read the 
clients ip from the URL header, so "port http request-insert client-ip" does 
not work. So we found the following setup.

I would like to explain our set up. The SI is single armed to a Cisco Router. 
We run all needed VLANS on this single arm connection. To create a virtual 
interface witch IP 172.16.1.9 we use the following command:

SLB-SSH at SI#server source-ip 172.16.1.9 255.255.255.0 172.16.1.1

Due to the real server is not connected directly to the switch we use the 
following setup and use no source nat. The real server has to send all 
traffic back to the SI so we use 172.16.1.9 as default GW for http and SSL 
(Policy based routing)

SLB-SSH at SI#server remote-name rs1 172.16.1.10
 port http
 port http keepalive
 port http url "HEAD /"
 port http l4-check-only
 port ssl
 port ssl keepalive

this is the setup of the VIP, nothing really unnormal

SLB-SSH at SI#server virtual virtual.vip.lyceu.net 1.1.1.1
 sym-priority 200
 predictor round-robin
 port http
 port ssl ssl-terminate sslcertificate
 port ssl request-insert client-ip
 bind http rs1 http
 bind ssl rs1 ssl

The interesting thing that it works in this setup. No problems seen. We see 
the client IP address and SSL works also fine. Does anybody uses a similar 
configuration?
We did only some testing and did not have a lot of traffic so I'm afraid that 
we run into problems when we get some traffic.

Best Stefan

-- 
Stefan Hegger
Internet System Engineer

Lycos Europe GmbH
Carl-Bertelsmann Str. 29
Postfach 315
33312 Gütersloh 

Phone:
Tel: +49 5241 8071 334
Fax: +49 5241 80671 334
Mobile: +49 170 1892720

Sitz der Gesellschaft: Gütersloh
Amtsgericht Gütersloh, HRB 2157
Geschäftsführer: Christoph Mohn 

  <http://www.lycos-europe.com/L/A/>

More information about the foundry-nsp mailing list